X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Frlm_eap%2Ftypes%2Frlm_eap_peap%2Frlm_eap_peap.c;h=cb460ac829952f6cfc46095836a1181c08426261;hb=2023c9f3d4df8c7160485b36dcfd23faf7cfca80;hp=5aab06a64c57a86512012dee5aba891dc0d7bffa;hpb=ffad474b762518b16eb6b6b0b9346540aafd8664;p=freeradius.git

diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c
index 5aab06a..cb460ac 100644
--- a/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c
+++ b/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c
@@ -46,11 +46,24 @@ typedef struct rlm_eap_peap_t {
 	 */
 	int	copy_request_to_tunnel;
 
+#ifdef WITH_PROXY
 	/*
 	 *	Proxy tunneled session as EAP, or as de-capsulated
 	 *	protocol.
 	 */
 	int	proxy_tunneled_request_as_eap;
+#endif
+
+	/*
+	 *	Virtual server for inner tunnel session.
+	 */
+  	char	*virtual_server;
+
+	/*
+	 * 	Do we do SoH request?
+	 */
+	int	soh;
+  	char	*soh_virtual_server;
 } rlm_eap_peap_t;
 
 
@@ -64,8 +77,19 @@ static CONF_PARSER module_config[] = {
 	{ "use_tunneled_reply", PW_TYPE_BOOLEAN,
 	  offsetof(rlm_eap_peap_t, use_tunneled_reply), NULL, "no" },
 
+#ifdef WITH_PROXY
 	{ "proxy_tunneled_request_as_eap", PW_TYPE_BOOLEAN,
 	  offsetof(rlm_eap_peap_t, proxy_tunneled_request_as_eap), NULL, "yes" },
+#endif
+
+	{ "virtual_server", PW_TYPE_STRING_PTR,
+	  offsetof(rlm_eap_peap_t, virtual_server), NULL, NULL },
+
+	{ "soh", PW_TYPE_BOOLEAN,
+	  offsetof(rlm_eap_peap_t, soh), NULL, "no" },
+
+	{ "soh_virtual_server", PW_TYPE_STRING_PTR,
+	  offsetof(rlm_eap_peap_t, soh_virtual_server), NULL, NULL },
 
  	{ NULL, -1, 0, NULL, NULL }           /* end the list */
 };
@@ -134,6 +158,7 @@ static void peap_free(void *p)
 	pairfree(&t->username);
 	pairfree(&t->state);
 	pairfree(&t->accept_vps);
+	pairfree(&t->soh_reply_vps);
 
 	free(t);
 }
@@ -152,7 +177,13 @@ static peap_tunnel_t *peap_alloc(rlm_eap_peap_t *inst)
 	t->default_eap_type = inst->default_eap_type;
 	t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
 	t->use_tunneled_reply = inst->use_tunneled_reply;
+#ifdef WITH_PROXY
 	t->proxy_tunneled_request_as_eap = inst->proxy_tunneled_request_as_eap;
+#endif
+	t->virtual_server = inst->virtual_server;
+	t->soh = inst->soh;
+	t->soh_virtual_server = inst->soh_virtual_server;
+	t->session_resumption_state = PEAP_RESUMPTION_MAYBE;
 
 	return t;
 }
@@ -166,11 +197,20 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler)
 	eaptls_status_t status;
 	rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
 	tls_session_t *tls_session = (tls_session_t *) handler->opaque;
+	peap_tunnel_t *peap = tls_session->opaque;
+	REQUEST *request = handler->request;
 
-	DEBUG2("  rlm_eap_peap: Authenticate");
+	/*
+	 *	Session resumption requires the storage of data, so
+	 *	allocate it if it doesn't already exist.
+	 */
+	if (!tls_session->opaque) {
+		peap = tls_session->opaque = peap_alloc(inst);
+		tls_session->free_opaque = peap_free;
+	}
 
 	status = eaptls_process(handler);
-	DEBUG2("  eaptls_process returned %d\n", status);
+	RDEBUG2("eaptls_process returned %d\n", status);
 	switch (status) {
 		/*
 		 *	EAP-TLS handshake was successful, tell the
@@ -180,24 +220,9 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler)
 		 *	an EAP-TLS-Success packet here.
 		 */
 	case EAPTLS_SUCCESS:
-		{
-			eap_packet_t eap_packet;
-
-			eap_packet.code = PW_EAP_REQUEST;
-			eap_packet.id = handler->eap_ds->response->id + 1;
-			eap_packet.length[0] = 0;
-			eap_packet.length[1] = EAP_HEADER_LEN + 1;
-			eap_packet.data[0] = PW_EAP_IDENTITY;
-
-			(tls_session->record_plus)(&tls_session->clean_in,
-						  &eap_packet, sizeof(eap_packet));
-			
-			tls_handshake_send(tls_session);
-			(tls_session->record_init)(&tls_session->clean_in);
-		}
-		eaptls_request(handler->eap_ds, tls_session);
-		DEBUG2("  rlm_eap_peap: EAPTLS_SUCCESS");
-		return 1;
+		RDEBUG2("EAPTLS_SUCCESS");
+		peap->status = PEAP_STATUS_TUNNEL_ESTABLISHED;
+		break;
 
 		/*
 		 *	The TLS code is still working on the TLS
@@ -205,7 +230,12 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler)
 		 *	do nothing.
 		 */
 	case EAPTLS_HANDLED:
-		DEBUG2("  rlm_eap_peap: EAPTLS_HANDLED");
+	  /*
+	   *	FIXME: If the SSL session is established, grab the state
+	   *	and EAP id from the inner tunnel, and update it with
+	   *	the expected EAP id!
+	   */
+		RDEBUG2("EAPTLS_HANDLED");
 		return 1;
 
 		/*
@@ -213,14 +243,14 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler)
 		 *	data.
 		 */
 	case EAPTLS_OK:
-		DEBUG2("  rlm_eap_peap: EAPTLS_OK");
+		RDEBUG2("EAPTLS_OK");
 		break;
 
 		/*
 		 *	Anything else: fail.
 		 */
 	default:
-		DEBUG2("  rlm_eap_peap: EAPTLS_OTHERS");
+		RDEBUG2("EAPTLS_OTHERS");
 		return 0;
 	}
 
@@ -228,7 +258,7 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler)
 	 *	Session is established, proceed with decoding
 	 *	tunneled data.
 	 */
-	DEBUG2("  rlm_eap_peap: Session established.  Decoding tunneled attributes.");
+	RDEBUG2("Session established.  Decoding tunneled attributes.");
 
 	/*
 	 *	We may need PEAP data associated with the session, so
@@ -245,7 +275,7 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler)
 	rcode = eappeap_process(handler, tls_session);
 	switch (rcode) {
 	case RLM_MODULE_REJECT:
-		eaptls_fail(handler->eap_ds, 0);
+		eaptls_fail(handler, 0);
 		return 0;
 
 	case RLM_MODULE_HANDLED:
@@ -253,24 +283,28 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler)
 		return 1;
 
 	case RLM_MODULE_OK:
-		eaptls_success(handler->eap_ds, 0);
-
 		/*
 		 *	Move the saved VP's from the Access-Accept to
 		 *	our Access-Accept.
 		 */
-		if (((peap_tunnel_t *) tls_session->opaque)->accept_vps) {
-			DEBUG2("  Using saved attributes from the original Access-Accept");
+		peap = tls_session->opaque;
+		if (peap->soh_reply_vps) {
+			RDEBUG2("Using saved attributes from the SoH reply");
+			debug_pair_list(peap->soh_reply_vps);
+			pairadd(&handler->request->reply->vps, peap->soh_reply_vps);
+			peap->soh_reply_vps = NULL;
+		}
+		if (peap->accept_vps) {
+			RDEBUG2("Using saved attributes from the original Access-Accept");
+			debug_pair_list(peap->accept_vps);
+			pairadd(&handler->request->reply->vps, peap->accept_vps);
+			peap->accept_vps = NULL;
 		}
-		pairadd(&handler->request->reply->vps,
-			((peap_tunnel_t *) tls_session->opaque)->accept_vps);
-		((peap_tunnel_t *) tls_session->opaque)->accept_vps = NULL;
-
-		eaptls_gen_mppe_keys(&handler->request->reply->vps,
-				     tls_session->ssl,
-				     "client EAP encryption");
 
-		return 1;
+		/*
+		 *	Success: Automatically return MPPE keys.
+		 */
+		return eaptls_success(handler, 0);
 
 		/*
 		 *	No response packet, MUST be proxying it.
@@ -279,7 +313,9 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler)
 		 *	will proxy it, rather than returning an EAP packet.
 		 */
 	case RLM_MODULE_UPDATED:
+#ifdef WITH_PROXY
 		rad_assert(handler->request->proxy != NULL);
+#endif
 		return 1;
 		break;
 
@@ -287,7 +323,7 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler)
 		break;
 	}
 
-	eaptls_fail(handler->eap_ds, 0);
+	eaptls_fail(handler, 0);
 	return 0;
 }